Create an episode 1 to 1 that alerts you every tim...

LuísMSB · ‎07-02-2024

Hello,
I have the Unix/Linux Add-on installed in my Splunk Cloud.
This Add-on gives me a list of Inactive Hosts.
How do I create an episode 1 to 1 that alerts me every time a new host goes inactive?

gcusello · ‎07-02-2024

Hi @LuísMSB,

in the Community, you can find thousands of answers to this question!

Anyway, you have two choices:

create a lookup containing the perimeter to monitor,
checks if an host sent logs in the last 30 days and didn't send in the last hour

in the first case, you have to create a lookup called perimeter.csv and containing at least one column (host), then you can run a search like the following

| tstats 
     count
     WHERE index=* 
     BY host
| append [ | inputlookup perimeter.csv | eval count=0 | fields host count ]
| stats 
     sum(count) AS total
     BY host
| where total=0

if instead you don't want to manage a lookup, you can use this search

| tstats 
     latest(_time) AS _time
     count
     WHERE index=* earliest=-30d@d latest=now
     BY host
| eval period=if(_time<now()-3600,"previous","latest")
| stats 
     dc(period) AS period_count
     values(period) AS period
     BY host
| where period_count=1 AND period="previous"

I prefer first solution because gives you more control.

Ciao.

Giuseppe

Create an episode 1 to 1 that alerts you every time a new host goes inactive

development

troubleshooting

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation